diff --git a/source b/source index ffb6323c640..f8ef178fc25 100644 --- a/source +++ b/source @@ -18248,12 +18248,13 @@ included with Exhibit B.

  • If either the a element has a download attribute and the algorithm is not allowed - to show a popup; or, if the user has not indicated a specific browsing context for following the link, and the element's target - attribute is present, and applying the rules for choosing a browsing context given a - browsing context name, using the value of the target attribute as the browsing context name, would result - in there not being a chosen browsing context, then run these substeps:

    + data-x="attr-hyperlink-download">download attribute and the algorithm is not + triggered by user activation; or, if the user has not indicated a specific + browsing context for following the link, and the element's target attribute is present, and applying the rules + for choosing a browsing context given a browsing context name, using the value of the + target attribute as the browsing context name, would + result in there not being a chosen browsing context, then run these substeps:

      @@ -36794,11 +36795,13 @@ dictionary TrackEventInit : EventInit {

    1. If the area element has a download - attribute and the algorithm is not allowed to show a popup; or, if the user has not indicated a specific browsing context for following the link, and the element's target attribute is present, and applying the rules - for choosing a browsing context given a browsing context name, using the value of the - target attribute as the browsing context name, would - result in there not being a chosen browsing context, then run these substeps:

      + attribute and the algorithm is not triggered by user activation; or, if the user + has not indicated a specific browsing context for following the link, and the + element's target attribute is present, and applying + the rules for choosing a browsing context given a browsing context name, using the + value of the target attribute as the browsing + context name, would result in there not being a chosen browsing context, then run these + substeps:

        @@ -45668,7 +45671,7 @@ ldh-str = < as defined in click event that was fired by the steps above leading up to this point.

        +

        An algorithm is triggered by user activation if any of + the following conditions is true:

        + +
          +

        • The task in which the algorithm is running is currently + processing an activation behaviour whose click + event was trusted.

          • + +
        • +

          The task in which the algorithm is running is currently + running the event listener for a trusted event + whose type is in the following list:

          + +
            +
          • change
            • +
          • click
            • +
          • dblclick
            • +
          • mouseup
            • +
          • reset
            • +
          • submit
            • +
          + +
          • + +
        • +

          The task in which the algorithm is running was queued by an algorithm that was triggered by user + activation, and the chain of such algorithms started within a user-agent defined + timeframe.

          + +

          For example, if a user clicked a button, it might be acceptable for a popup + to result from that after 4 seconds, but it would likely not be acceptable for a popup to result + from that after 4 hours.

          +
          • +
        + @@ -77329,48 +77368,6 @@ dictionary DragEventInit : MouseEventInit {
        -

        An algorithm is allowed to show a popup if any of the following conditions is - true:

        - -
          - -

        • The task in which the algorithm is running is currently - processing an activation behaviour whose click event - was trusted.

          • - -
        • - -

          The task in which the algorithm is running is currently - running the event listener for a trusted event whose - type is in the following list:

          - -
            -
          • change
            • -
          • click
            • -
          • dblclick
            • -
          • mouseup
            • -
          • reset
            • -
          • submit
            • -
          - -
          • - -
        • - -

          The task in which the algorithm is running was queued by an algorithm that was allowed to show a popup, - and the chain of such algorithms started within a user-agent defined timeframe.

          - -

          For example, if a user clicked a button, it might be acceptable for a popup - to result from that after 4 seconds, but it would likely not be acceptable for a popup to result - from that after 4 hours.

          - -
          • - -
        - -
        -

        The rules for choosing a browsing context given a browsing context name are as follows. The rules assume that they are being applied in the context of a browsing context, as part of the execution of a task.

        @@ -77414,9 +77411,9 @@ dictionary DragEventInit : MouseEventInit {
        - +
        @@ -82002,7 +81999,7 @@ State: <OUTPUT NAME=I>1</OUTPUT> <INPUT VALUE="Increment" TYPE=BUTTON O target software, e.g. by prompting the user to confirm that the source browsing context's active document's origin is to be allowed to invoke the specified software. In particular, if the navigate algorithm, when it was invoked, - was not allowed to show a popup, the user agent should not invoke the external + was not triggered by user activation, the user agent should not invoke the external software package without prior user confirmation.

        For example, there could be a vulnerability in the target software's URL